Cisco SAL on Prem

nichamon — Thu, 26 Oct 2023 06:47:00 GMT

Hi,

I have try to connect my ASA5555 FTD6.4 on FMC for sent syslog to SAL (On Prem) on SNA in manager only mode. As I research If I use SNA manager to install SAL (On Prem) that didn't required CDO, Is it?

I have followed https://www.cisco.com/c/en/us/td/docs/security/sal-on-prem/integration/deployment_guide/csal_op_for_fmc_7_0_deploy_guide.pdfhttps://www.cisco.com/c/en/us/td/docs/security/sal-on-prem/integration/csal_op_app_3_2_0_deploy_guide/m_csal_op_deploy_steps_v32.html

by step

- Install the Security Analytics and Logging (OnPrem) App

For Managed Devices Running Versions Earlier than 7.0, Use Syslog

- Configure Firepower Threat Defense Settings to Export syslog to Secure Network Analytics

- Enable Connection Event Logging to syslog per Access Control Rule

- On my SAL (On Prem) I'm still have no logging.

and there is my FTD

firepower# sh run logging
logging enable
logging timestamp rfc5424
logging emblem
logging list MANAGER_VPN_EVENT_LIST level informational class auth
logging list MANAGER_VPN_EVENT_LIST level informational class vpn
logging list MANAGER_VPN_EVENT_LIST level informational class vpnc
logging list MANAGER_VPN_EVENT_LIST level informational class vpnfo
logging list MANAGER_VPN_EVENT_LIST level informational class vpnlb
logging list MANAGER_VPN_EVENT_LIST level informational class webfo
logging list MANAGER_VPN_EVENT_LIST level informational class webvpn
logging list MANAGER_VPN_EVENT_LIST level informational class ca
logging list MANAGER_VPN_EVENT_LIST level informational class svc
logging list MANAGER_VPN_EVENT_LIST level informational class ssl
logging list MANAGER_VPN_EVENT_LIST level informational class dap
logging list MANAGER_VPN_EVENT_LIST level informational class ipaa
logging FMC MANAGER_VPN_EVENT_LIST
logging host ngfw-management 192.168.2.177 17/8514 format emblem
logging permit-hostdown
no logging message 106015
no logging message 313001
no logging message 313008
no logging message 106023
no logging message 710003
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 302018
no logging message 302017
no logging message 302016
no logging message 302021
no logging message 302020
firepower#

Am I missed some process? I have try to find and research some information about SAL (On Prem) but I'm only see about SaaS with CDO.

Re: Cisco SAL on Prem

wajidhassan — Fri, 11 Jul 2025 16:03:25 GMT

You do not need Cisco Defense Orchestrator (CDO) to use SAL On-Prem with FMC-managed FTDs, especially in Manager-Only mode (no Flow Collectors). This is a valid, supported deployment model.

The confusion comes from most public materials emphasizing the SaaS/Cisco Cloud integration (SAL via CDO). But the On-Prem SAL is fully valid on its own.

Goal Recap
You're trying to:

Send connection events from FTD 6.4.x to SAL On-Prem

Using syslog, because FTD <7.0 does not support eStreamer to SAL

Using the Manager-only deployment of SAL (no Flow Collectors, just logs)

You're not seeing logs appear in SAL On-Prem

Steps to Confirm / Review
Let's go through what must be in place.

1. SAL On-Prem Installed on SNA Manager
Ensure you followed the correct document:

You’re using this guide: SAL On-Prem for FMC 7.0 and earlier

Key things to confirm:

The SAL On-Prem App is installed and listed under System → Settings → Applications

The SAL app is configured to listen on UDP 8514

Firewall/SELinux is not blocking 8514/UDP

2. FTD Syslog Config
Your syslog output:

bash
Copy
Edit
logging enable
logging host ngfw-management 192.168.2.177 17/8514 format emblem
This looks correct if 192.168.2.177 is the SNA Manager (SAL App host).

BUT also verify:

FTD is using the correct syslog format for SAL:

For FTD <7.0, emblem + correct message IDs are needed.

Only certain syslog messages will be parsed by SAL.

Missing step: You need to enable logging in the Access Control Policy (ACP):

In FMC:

Go to Policies → Access Control Policy

Open the ACP applied to this FTD

Under each rule, check:

Log at end of connection

Send to Syslog

Set logging level (Informational or higher)

Without this, the FTD won’t send connection events to SAL.

🔹 3. SAL Parsing & Syslog Verification
✅ On your SNA Manager (hosting SAL), verify that logs are arriving at the SAL app:

bash
Copy
Edit
sudo tcpdump -nn udp port 8514
You should see traffic from your FTD. If not, FTD is not sending or network is blocking.

4. View SAL Dashboard
Log into the SNA Manager Web UI

Go to Applications → Security Analytics and Logging

You should see:

A dashboard showing "Events received"

Charts with Connection Events, Top Apps, etc.

If not:

Check the SAL logs:

bash
Copy
Edit
sudo docker logs --tail=100 -f sal
Look for parsing errors or connectivity issues.

Summary of What May Be Missing
Step Status
SAL On-Prem app installed on SNA Manager ✅ You did this
Syslog listener (UDP 8514) configured ✅ Appears correct
FTD syslog enabled and pointing to SAL ✅ Correct syntax
ACP rules logging to syslog enabled ⚠️ Often missed
SAL logs parsed successfully ❓ Check via docker logs sal
Syslog received (tcpdump on port 8514) ❓ Check with tcpdump

Next Actions
Confirm “Log at end of connection → Send to Syslog” is enabled in ACP rules on FMC.

On SAL Manager:

Run tcpdump to confirm logs are arriving

Check SAL app logs via Docker for errors

In SNA Web UI → Applications → SAL, check for any events being processed

topic Cisco SAL on Prem in Security Analytics

Cisco SAL on Prem

Re: Cisco SAL on Prem